tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Klotz Jr, Dennis" <DKl...@empirix.com>
Subject RE: web.xml question
Date Tue, 29 Nov 2005 15:48:36 GMT
Thanks for your reply.

I really hope that isn't the case. I really do not want the
computational overhead of SSL for the rest of my web application. We are
sending back thousands of rows of data.

Paulo, my co-worker, figured out that he could use a redirect inside of
the login.jsp to force the use of https but that in itself has problems.
For example, if you directly type the URL of that login.jsp you will get
a 400 error. (the login.jsp is no longer transparent - at least that is
my understanding)

I find this a hard pill to swallow :) that one must enable SSL for the
whole webapp if you wish to use a form based login.


-Dennis

-----Original Message-----
From: Tim Funk [mailto:funkman@joedog.org] 
Sent: Tuesday, November 29, 2005 10:34 AM
To: Tomcat Users List
Subject: Re: web.xml question

Security constraints are only imposed on the incoming URL.

Long story short - you'll need to place the entire webapp in SSL. There
is no 
clean way to use declarative statements to force the login to be SSL and
the 
rest of the webapp be nonssl.

-Tim

Klotz Jr, Dennis wrote:

> Hello all. I hope your day is going well.
> 
> I need your help.
> 
> I cannot get a forms based login page to use SSL when I think I've
setup
> the web.xml correctly. 
> 
> Why doesn't my login.jsp use HTTPS when tomcat is invoking it for
> authorization? (more details at the bottom)
> 
> Here are the relevant sections of my web.xml:
> 
> -----------------------------------------
> 
> <!-- BEGIN_LOGIN_SECURITY -->
>    <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Login page</web-resource-name>
>       <url-pattern>/login.jsp</url-pattern>
>       <http-method>GET</http-method>
>       <http-method>POST</http-method>
>     </web-resource-collection>
> 
>     <!--   Enable this for SSL -->
> 
>     <user-data-constraint>
>       <transport-guarantee>CONFIDENTIAL
>       </transport-guarantee>
>     </user-data-constraint>
>   </security-constraint>
> 
>   <!-- END_LOGIN_SECURITY -->
> 
>   <!-- ======================================= -->
> 
>   <!-- LOGIN AUTHENTICATION -->
>   <!-- Form authentaication requires SSL -->
>        <login-config>
>            <auth-method>FORM</auth-method>
>            <realm-name>Application</realm-name>
>            <form-login-config>
>                <form-login-page>/login.jsp</form-login-page>
>                <form-error-page>/error_401.html</form-error-page>
>            </form-login-config>
>        </login-config>
> 
> 
> 
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>VoIP Monitor Applications</web-resource-name>
>       <url-pattern>/CallQDiagnostics.jsp</url-pattern>
>       <url-pattern>/report_index.jsp</url-pattern>
>       <url-pattern>/CallQAnalysis.jsp</url-pattern>
>       <url-pattern>/index.jsp</url-pattern>
>       <http-method>GET</http-method>
>       <http-method>POST</http-method>
>     </web-resource-collection>
> 
>     <auth-constraint>
>       <role-name>monitor_tier1</role-name>
>       <role-name>monitor_guest</role-name>
>       <role-name>monitor_admin</role-name>
>       <role-name>monitor_tier3</role-name>
>     </auth-constraint>
> 
>     <!--   Enable this for SSL -->
> 
>     <user-data-constraint>
>       <transport-guarantee>NONE
>       </transport-guarantee>
>     </user-data-constraint>
> 
>   </security-constraint>
> 
> ----------------------------------------------------------
> 
> So here is what happens. I type the full URL to the CallQAnalsysis.jsp
> (for example) and the login.jsp is invoked BUT it has NOT been
> redirected to the HTTPS connector (which is enabled and working).
> 
> Now if I type the address of the login.jsp directly, then the
connection
> is redirected over HTTPS. 
> 
> Why doesn't the login.jsp use HTTPS when tomcat is invoking it for
> authorization?
> 
> Any help figuring out what I am doing wrong is greatly appreciated.
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message